Information security threats are evolving and companies are increasingly vulnerable.
Traditional “grab and go” forms of breach are now being superseded as online criminals seek to gain access to valuable personal and financial data and corporate intellectual property through more insidious “low and slow” threats that are harder to detect.
At the same time, the increasing prevalence of mobile enterprise applications, big data initiatives and Internet of Things (IoT) devices is giving cybercriminals new points of entry for malicious attacks.
This combination of new threats and greater exposure means that organisations of all sizes face heightened security risks in 2015.
Fortunately, security technologies also continue to develop and, when implemented alongside robust security policies, can provide protection through multi-faceted prevention, early detection and rapid response.
What trends will information security officers most need to watch in 2015?
• Destructive malware spreads further and faster
While crimeware – such as keyloggers or password-stealing trojans – has typically been the most common malware against which companies need to protect themselves, new destructive types of malware are now on the rise.
Wiper-style attacks and ransomware trojans are being let loose by cyberterrorists and criminal groups.
Hacktivists are also adopting these new weapons as organisations gain the ability to mitigate the consequences of distributed denial of service attacks. In addition, destructive malware is now spreading into mobile environments.
Preparing for these types of attacks is crucial. Businesses use network security and analysis to improve detection of malicious activity before it can take hold and recover more quickly from incidents with offline backups.
• Software vulnerabilities impact more critical systems
As is the case every year, a number of software vulnerabilities were announced in 2014. A few, like Heartbleed, Shellshock and POODLE, even caught the attention of people outside the IT community.
We can expect more of this in the year ahead. Much of today’s software, such as the open source code used by device manufacturers to reduce development costs, is widely used across systems and vendors, which increases the destructive potential of vulnerabilities.
There is no way to know where the next vulnerability will emerge, but there will certainly be more to come.
With vulnerabilities being more widespread, more critical systems will be exposed to attack. It will no longer be possible to avoid patching these critical systems so as not to disrupt performance.
Thus, patching will become a new priority for organisations in the coming year.
• BYOD adoption reaches an inflection point
With the proliferation of “bring your own device” (BYOD) practices, security risks are multiplying. Users lack the knowledge and tools to adequately protect corporate information on their consumer devices or the privacy of their personal data in the corporate environment.
Furthermore, some devices need to support more than two personas. For example, doctors who work for multiple hospitals need to segment and secure data from each organisation, as well as their personal data.
Businesses can deploy a layered approach that addresses security with device-level containers to separate data for different uses, secure network connections and advanced security in the cloud, thus creating a highly secure end-to-end connection.
Administrators will need to be vigilant in demanding consistent patching of BYOD devices. Now is also a good time to begin preparing for the next phase of BYOD: bring your own cloud.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.